It's a sad fact of life in IT nowadays that some form of preparation for dealing with malware is part and parcel of what systems and network administrators must do. This goes above and beyond normal due diligence in warding off malware. It includes a proper appreciation of the work and risks involved in handling malware infections, and acquiring a toolkit of repair and cleanup tools to complement protective measures involved in exercising due diligence. It should also include at least two forms of insurance – one literal, the other metaphorical – that can help avert or cover an organization against costs and liabilities that malware could otherwise force the organization to incur.To read this article in full or to leave a comment, please click here(Insider Story)
IBM Security plans to buy San Francisco-based Agile 3 Solutions, which makes software for visualizing data risk for analysis by senior executives.The deal is expected to close within weeks, but the financial terms were not released. It will include the purchase of Ravy Technologies, an Agile 3 subcontractor based in India.Agile 3’s software identifies risks to business programs and assets, and enables actions to head off possible exploits that could affect business processes. It provides a dashboard for measuring compliance with regulations and legislation.NEWSLETTERS: Get the latest tech news sent directly to your in-box
IBM Security customers will be able to buy Agile 3 technology as a service through IBM Data Security Services or as features rolled into IBM Guardian, the company’s data-protection software. The company says the addition of the software will help identify and protect critical data.To read this article in full or to leave a comment, please click here
For the sixth year in a year, SplashData has released its list of worst passwords.According to SplashData, the list is based on over five million leaked passwords, which are used by users in North America and Western Europe, that were posted for sale online.I thought it might be interesting to compare SplashData’s newest list with the top 25 most common password list released last week by rival firm Keeper Security. According to the two companies, these were the top 25 worst passwords people used in 2016:To read this article in full or to leave a comment, please click here
The debate on public versus private cloud is a fierce one with advocates on both sides. Security experts, however, consistently fall in the pro-private camp. As a compliance and security expert, I have to agree.First, let’s be clear on the definitions.The public cloud is available to the public—in a free or pay-per-use capacity—and is accessible via the web. Some examples include Google Apps, Office 365, file sharing applications such as Box or Dropbox, and so on. The private cloud, on the other hand, is the same service, but it sits behind your firewall and limits access to your internal departments, employees, customers, etc. in your organization. The private cloud is either run by your IT department or your data center. To read this article in full or to leave a comment, please click here
Late last year, ESG published a research report titled, Through the Eyes of Cyber Security Professionals, in collaboration with the Information Systems Security Association (ISSA). As part of this report, 437 cybersecurity professionals and ISSA members were asked if they’d experienced a number of types of security incidents. The research revealed that:
39% of organizations experienced one or several security incidents resulting in the need to reimage one or several endpoints or servers.
27% of organizations experienced one or several incidents of ransomware.
20% of organizations experienced one or several incidents resulting in the disruption of a business application.
19% of organizations experienced one or several incidents resulting in the disruption of a business process.
It should be noted that between 23% and 30% of the survey population responded “don’t know” or “prefer not to say” when asked about different types of security incidents so the percentages represented above are likely much higher.To read this article in full or to leave a comment, please click here
Late last year, ESG published a research report titled, Through the Eyes of Cyber Security Professionals, in collaboration with the Information Systems Security Association (ISSA). As part of this report, 437 cybersecurity professionals and ISSA members were asked if they’d experienced a number of types of security incidents. The research revealed that:
39% of organizations experienced one or several security incidents resulting in the need to reimage one or several endpoints or servers.
27% of organizations experienced one or several incidents of ransomware.
20% of organizations experienced one or several incidents resulting in the disruption of a business application.
19% of organizations experienced one or several incidents resulting in the disruption of a business process.
It should be noted that between 23% and 30% of the survey population responded “don’t know” or “prefer not to say” when asked about different types of security incidents, so the percentages represented above are likely much higher.To read this article in full or to leave a comment, please click here
Banks all around the world are re-imagining their businesses to put customer demands front and center. They are undergoing massive digital transformation processes to do so; however, these transformations, coupled with an always-connected, digitally savvy customer and an emerging “hacker industry,” create new and heightened security risks that banks must deal with immediately.This is a new normal for banks, as evidenced by recent attacks such as the SWIFT hack, and maintaining the security of their systems and customer data will require them to follow new rules and regulations.To read this article in full or to leave a comment, please click here
Rickety branchesImage by PexelsYour gleaming corporate headquarters, filled with brand-new computers, may be what's on the front page of the company website, but we all know that in many large organizations, much of the day-to-day work happens in local branch offices, often small, poorly equipped, and understaffed. And of course, many companies and workers are embracing the flexibility offered by the internet to work at home full time. But these satellite worksites can end up causing big headaches for tech pros tasked with keeping company assets secure. We talked to a number of tech pros to find out more about the dangers—and the solutions.To read this article in full or to leave a comment, please click here
New products of the weekImage by SonusOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Backblaze Business GroupsImage by BackblazeTo read this article in full or to leave a comment, please click here
How secure are IP-based “security cameras”?
Based on our review of seven home security cameras, the answer is: Not very. While these devices may get high marks for features and ease of use, security is another story.
Our tests turned up results like these:
One camera allows plaintext logins as the root user, with no password. That’s horrifying in this day and age.
The same camera uses an outdated version of SSL that allows data leakage. A firmware update fixes both issues, but the upgrade is optional and many users skip it.
Another camera leaks its private API structure in plaintext even though it uses TLS to encrypt traffic. This potentially allows attackers to change video streams and possibly other device parameters.
Yet another camera can run a hacked firmware image that disables some services and enables others.
Two more cameras present SSL certificates that not only claim to be a different host, but also come from a certificate authority with a record of issuing bogus credentials.
It’s not all bad news. One camera, the CAN100USWT from Canary Connect, stood head and shoulders over the field in baking security into its product design. The Canary camera runs no services Continue reading
No device is 100 percent immune from vulnerabilities, but there are some simple, common-sense steps you can take to protect IP-based cameras:1. Don’t put cameras on the public internet. Given the wide availability of free scanning and vulnerability detection tools, it makes sense to avoid using routable IP addresses for IP cameras if at all possible. The recent DDoS attacks on core DNS infrastructure used botnets of public cameras, and all the attackers had to do was find the cameras.Instead, put cameras behind a firewall and run network address translation (NAT). While NAT is not itself a security mechanism, and has a long and well-deserved history of derision for breaking the Internet’s core principle of end-to-end connectivity, it will at least offer some protection from probes by scanning tools.To read this article in full or to leave a comment, please click here(Insider Story)
If you don’t live in the US and run an anonymous, Tor-friendly email service – such as one used by 4chan and 8chan – sadly, it’s a pretty decent bet that you would experience some drama when entering the US. At least that was the case for Vincent Canfield as he was detained by US Customs and Border Protection and had all of his electronics seized by the agency. He is originally from the US, but currently resides in Romania.Canfield, the admin of the cock.li e-mail hosting service, came to vacation in the US after attending the 33rd Chaos Communication Congress held in Germany during December. He claims CBP detained him for over three hours, asking “lots of strange” and “some offensive questions” about his personal life. He refused to comply and instead gave them his attorney’s contact information. Agents allegedly demanded that he decrypt his phone so they could “make sure there isn't any bad stuff on there.” Again he refused, so CPB seized the 14 electronic devices that Canfield had with him.To read this article in full or to leave a comment, please click here
If you live outside the U.S. and run an anonymous, Tor-friendly email service—such as one used by 4chan and 8chan—sadly, it’s a pretty decent bet you will experience some drama when entering the U.S. At least that was the case for Vincent Canfield as he was detained by U.S. Customs and Border Protection and had all of his electronics seized by the agency. He is originally from the U.S., but he currently resides in Romania.Canfield, the admin of the cock.li e-mail hosting service, came to vacation in the U.S. after attending the 33rd Chaos Communication Congress held in Germany in December. He claims CBP detained him for over three hours, asking “lots of strange” and “some offensive questions” about his personal life. He refused to comply and instead gave them his attorney’s contact information. Agents allegedly demanded he decrypt his phone so they could “make sure there isn't any bad stuff on there.” Again, he refused, so CPB seized the 14 electronic devices Canfield had with him.To read this article in full or to leave a comment, please click here
The developer behind Lavabit, an email service that noted leaker Edward Snowden used, is releasing source code for an open-source end-to-end encrypted email standard that promises surveillance-proof messaging.
The code for the Dark Internet Mail Environment (DIME) standard will become available on Github, along with an associated mail server program, said its developer Ladar Levison on Friday.
DIME will work across different service providers and perhaps crucially will be "flexible enough to allow users to continue using their email without a Ph.D. in cryptology," said Levison.
To coincide with its launch, Levison is also reviving Lavabit. The encrypted email service shut down in 2013 when federal agents investigating Snowden demanded access to email messages of his 410,000 customers, including their private encryption keys.To read this article in full or to leave a comment, please click here
Researchers at Binghamton State University in New York think your heart could be the key to your personal data. By measuring the electrical activity of the heart, researchers say they can encrypt patients' health records. The fundamental idea is this: In the future, all patients will be outfitted with a wearable device, which will continuously collect physiological data and transmit it to the patients' doctors. Because electrocardiogram (ECG) signals are already collected for clinical diagnosis, the system would simply reuse the data during transmission, thus reducing the cost and computational power needed to create an encryption key from scratch.To read this article in full or to leave a comment, please click here
There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts.Fortunately, there are plenty of great conferences coming up in the months ahead.If keeping abreast of security trends and evolving threats is critical to your job — and we know it is — then attending some top-notch security conferences is on your must-do list for 2017.From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you.To read this article in full or to leave a comment, please click here(Insider Story)
Cybersecurity and staffing upgrades at the Internal Revenue Service appear to be in store, assuming Steven Mnuchin is confirmed as Treasury Secretary in the new Trump Administration.Mnuchin, a former CIO and executive vice president for Goldman Sachs, told senators in a five-hour confirmation hearing on Thursday that he is "very concerned about the lack of first-rate technology at the IRS" as well as staff cuts in recent years. Mnuchin is expected to be confirmed, and would likely work with Trump to pick the next IRS director.To read this article in full or to leave a comment, please click here
Spanish police have arrested a Russian programmer suspected of developing the Neverquest banking Trojan, a malware targeting financial institutions across the world.The 32-year-old Russian citizen known as Lisov SV was arrested at the Barcelona airport, Spain's law enforcement agency Guardia Civil said on Friday.The FBI had been working with Spanish authorities to track down the suspect through an international arrest warrant, according to a statement from the agency. The FBI, however, declined to comment on the man's arrest.Neverquest is designed to steal username and password information from banking customers. Once it infects a PC, the malware can do this by injecting fake online forms into legitimate banking websites to log any information typed in. It can also take screenshots and video from the PC's desktop and steal any passwords stored locally.To read this article in full or to leave a comment, please click here
Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps.Since 2014, Google has been scanning apps published on Google Play for known vulnerabilities as part of its App Security Improvement (ASI) program. Whenever a known security issue is found in an application, the developer receives an alert via email and through the Google Play Developer Console.When it started, the program only scanned apps for embedded Amazon Web Services (AWS) credentials, which was a common problem at the time. The exposure of AWS credentials can lead to serious compromises of the cloud servers used by apps to store user data and content.To read this article in full or to leave a comment, please click here
The IoT security market will reach a valuation of $36.95 billion by 2021, says data from a Marketsandmarkets.com analyst report. Where the cyber security mayhem grows, so flows the security market money.In 2017, experts predict that gaping IoT security holes will lead to the destruction of critical infrastructure and increases in competitive intelligence gathering and intellectual property theft. 2017 will see more DDoS attacks of the magnitude that brought down the Dyn Domain Name System service and many high-profile web domains with it.To read this article in full or to leave a comment, please click here(Insider Story)